I have a handful of fields that I've extracted from the raw event data using the rex
function. Now that I have these fields, I've applied some stat grouping and counting to them, but I'm unable to properly display additional fields without grouping on them.
The stats line looks like this: | stats values(problem) AS prob count by problemType problemLocation
. That line produces a table that holds a problemType in the first column, the problem location in the second column, and a list of unique problems that are of that problemType and were caused at that problemLocation in a third column, given by the values
function.
Each event only has 1 value for prob
in this third column, and also only 1 value for another field X
. I'm now trying to display, in a fourth column, values of this X
field that match up in the same row with the displayed prob
values in the third column without having to group everything else by them.
Any help would be appreciated.
Give this a try
your current search with fields problemType promblemLocation problem x
| eval problem=problem."##".x
| stats count by problemType promblemLocation problem
| table problemType promblemLocation problem
| rex field=problem "(?<problem>.+)##(?<x>.+)"
| stats list(problem) as problem list(x) as x by problemType problemLocation
Does | stats values(problem) AS prob values(x) as x count by problemType problemLocation
not give the desired results?
@richgalloway the displays the values of the X column, but it doesn't align those values with the values shown in prob
. This is to say that if there are 3 values shown in the prob
column, then the adjacent column should display the 3 corresponding x
values. This should be possible because each event has only one prob
value and only one x
value.
I also apply | eval prob=mvindex(prob, 0, 4)
at the end to cut the output to only 5 values, although this is a slightly different situation.